Though human errors — such as falling for phishing scams that result in data compromise or credential theft — remain one of the top security risks for organizations today, few appear to be making much progress in addressing the problem.
The sixth and latest edition of the SANS Institute's annual security awareness report, released Tuesday, shows that enterprise initiatives for minimizing human risk continue to be little more than a part-time effort at many organizations.
The survey of over 1,500 professionals involved in security awareness training found 75% spend less than half their time on that task. When responsibility for the function was assigned, it went commonly to staff with overly technical backgrounds and not enough skills for engaging the workforce in easy-to-understand terms.
"Overall, the data is trending the same" as in previous years, says Lance Spitzner, SANS security awareness director and co-author of the report. "Awareness continues to be a part-time effort, which is why so many organizations are struggling to effectively secure employee behavior and ultimately manage human risk."
A lack of time and personnel continue to pose big challenges for organizations seeking to build a mature security awareness program, the survey found. Organizations that had made progress in changing employee behaviors with their awareness programs had at least 2.5 full-time equivalent employees dedicated to the mission. Organizations with the most mature awareness programs had at least 3.5 full-time employees.
However, SANS found the percentage of organizations that actually reported having staff of any size dedicated full time to the security awareness function was low.
"Roughly 10% of organizations out there — represented by our respondents — have someone dedicated full time" to security awareness, Spitzner says. "That is similar to what we have seen over the past surveys, [so] no real change there."
In most other cases, when an organization has someone working in security awareness, that person is in IT or security and already has numerous other responsibilities, he notes. The SANS survey found salaries, on average, were higher for individuals in other roles handling security awareness on a part-time basis ($106,00) than for individuals dedicated to the role on a full-time basis ($96,000).
As in past surveys, SANS polled respondents on their backgrounds and roles prior to working in security awareness: More than 800 of the 1,500 surveyed professionals had backgrounds in information security or information technology before they began work in security awareness. Less than 20% had a nontechnical background, such as marketing, communications, legal, and human resources.
The problem with having people with overly technical backgrounds performing training is they can have a harder time communicating and teaching security fundamentals to nontechnical people. Though a certain level of technical expertise is essential for working in security awareness, experts in the field can often perceive security as being easy to understand simply because it is part of their daily life, SANS observed in its report.
"Human risk is a people problem, so it takes a human solution" to address it, says Spitzner.
However, that does not mean completely nontechnical soft skills alone are enough for a security awareness role.
"The awareness professional should be an extension of the security team," Spitzner notes. "This means they should have a basic understanding of cybersecurity, the models and frameworks involved, and perhaps a basic understanding of the technology and attackers involved."
They would also need to have a passion for learning and helping and have strong skills in communicating and partnering with others, he says.
The Right Focus
SANS said organizations should ensure that any person they put in charge of the security awareness function has a title that emphasizes the human risk aspect of the role — for example, "human risk officer." Often, organizational leaders have a tendency to discuss the role in the context of awareness, training, engagement, or influence.
But those terms focus on what's being done rather than why it needs to be done, Spitzner says. "Managing human risk" is a better fit, he says, because "it aligns with leadership's strategic security priorities and explains why awareness needs to be an extension of the security team."
SANS found that security awareness programs typically garner the strongest support from the information security and IT teams, as well as human resources, audit, and senior leadership. Conversely, the biggest opposition to these efforts typically existed within operational teams and the finance group — likely because these are two areas affected most by security awareness programs.
To address concerns from the finance group, SANS recommends security leaders focus on the value of security awareness programs. One way to do that would be to consider the cost of past breaches or compliance failures and compare it to the cost of the security awareness program. Similarly, to address the concerns of operational groups, the security awareness group should focus on ways to reduce lost work hours due to training — by, for example, reducing the number of topics to focus upon.
"Awareness is nothing more than another security control, one designed to manage human risk," Spitzner says. "Security teams need to be treating it as such."